search

w3c / vc-jose-cose

Verifiable Credentials Working Group — VC JSON Web Tokens specification
https://w3c.github.io/vc-jose-cose/
Other
31 stars 13 forks source link

Add a requirement on SD-JWT that `credentialStatus` should always be visible (plain). #285

Closed goncalo-frade-iohk closed 1 month ago

goncalo-frade-iohk commented 3 months ago

Hi.

There should be a requirement on SD-JWT that credentialStatus should always be plain and cannot be disclosable. If this requirement is not there, there is the possibility for a revoked credential not be properly verified due to the presentation not disclosing the credentialStatus.

decentralgabe commented 3 months ago

This is useful language to add, thank you.

TallTed commented 3 months ago

"cannot be disclosable" seems the opposite of "should always be visible".

Perhaps you meant "cannot be selectively disclosable"?

selfissued commented 3 months ago

I agree with "cannot be selectively disclosable".

decentralgabe commented 1 month ago

Similarly @context, type, and relatedResource values must not be selectively disclosable.

iherman commented 1 month ago

The issue was discussed in a meeting on 2024-09-27

View the transcript #### 2.1. Add a requirement on SD-JWT that `credentialStatus` should always be visible (plain). (issue vc-jose-cose#285) _See github issue [vc-jose-cose#285](https://github.com/w3c/vc-jose-cose/issues/285)._ **Brent Zundel:** let's talk about this issue. **Gabe Cohen:** I might have missed something when addressing this issue, we should re-open it to add language. **Brent Zundel:** I will re-open the issue. **Gabe Cohen:** preparing PR for that. **Manu Sporny:** to add detail, I think the things that need to be considered are: we need special language about selectively disclosing the `@context` field, whether or not to expose type value, changes around credential status. … our org is not looking very closing at this stuff, we have not done an implementation, hopefully someone else is paying really close attention. … sd-jwt is a framework and it makes assumptions about the data model. … sd-jwt by itself is unaware of the things that should always be selectively disclosed. > *Dave Longley:* +1 to Manu's general concerns. **Manu Sporny:** it feels like there is more work to be done, but because we're not doing an implementation we cannot see the trip wires.